I found out how to enable debugging for sudoers: Debug sudo /var/log/sudo-debug all@info Debug sudoers.so /var/log/sudoers-debug all@info
With the *new* sudo I get the following logged matching 'sssd': May 5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_administrators' ... not (brian.candler) But with the *old* sudo I get: May 5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH! It seems to be a behaviour change with group checking. The 'brian.candler' user *is* a member of one of those groups in IPA; but those groups are not posix groups so they are not visible using (e.g.) "id" I was able to solve the problem by adding objectClass: posixgroup gidNumber: NNNNNNNN to those group objects. After this, the sudoers log shows: May 5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_administrators' ... MATCH! (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH! So: arguably this is not a bug, but a bug fix. Still, it would be nice if the release notes explained the potential for regression. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1688034 Title: 1.8.16-0ubuntu1.3 update breaks sudo with freeipa-client / sssd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
